Criminals carried out more but smaller data thefts last year than in previous years, indicating a shift toward simpler exploits that run lower risk of punishment, according to Verizon’s latest data breach report
In 2010 the number of breaches skyrocketed to 760 from 141 the year before, according to the “2011 Verizon Data Breach Investigation Report”. At the same time the number of actual records compromised by the breaches plummeted from 144 million in 2009 to four million in 2010.
On average, then, in 2009 the number of records stolen per breach was about 1.02 million. For 2010 that number was 5,263.
What’s going on? The type of data being sought by criminals shifted from payment card numbers to intellectual property, information about business processes and deals being made between businesses, says David Ostertag, global investigations manager for Verizon.
“With intellectual property they may get one record but it will have a much higher value than one payment card record,” Ostertag says.
In cases where payment card information was stolen, the number of records taken per breach was much less, indicating that criminals are trying to minimize the attention they draw, he says. “There’s less chance of being caught because fewer resources are being applied to catch them,” he says.
That may already be changing, though, with early results from 2011 indicating a surge in high-volume data breaches. The motivation may be that stockpiles of stolen card data have been depleted over the past year and more are needed to replenish them. “Supply and demand has a lot to do with it,” he says. “The bad guys need a new supply.”
Also anecdotally, there seems to be a recent uptick in unauthorized peer-to-peer traffic on networks, Ostertag says, which could be criminals doing research and development on ways to send data out once it has been compromised.
“They’re better at getting in, but not at exfiltrating the data,” he says.
Threats from outside businesses has also jumped dramatically from 70 per cent to 92 per cent, which may be due to commoditized attack tools that are simpler to use and therefore used more often, he says.
Hospitality, retail and financial services industries accounted for 87 per cent of all the investigated data breaches.
Financial institutions in previous years accounted for 90 per cent or more of compromised records, but that fell dramatically in 2010 to 35 per cent. The reason is some breaches in past years that involved millions of records were from financial institutions. Also, criminals may be focusing more on other thefts than credit card numbers. These include theft of intellectual property, authentication data, and turning machines into bots to serve botnets, the report says.
One deceptive result is the 17 per cent of attacks involving insiders. That is a drop from 48 per cent in 2009, but the actual number of insider breaches remains about the same.
So the threat to businesses from insiders has stayed relatively constant; it’s just the total number of breaches that has dramatically increased to skew the percentage, he says.
Mobile devices have not been seen compromising systems, Ostertag says, but they have been used in compromising data.